[SOLVED] 5.0 GA OSS https redirect disable

[Jurykov]

Hello,

Just upgraded to 5.0 GA OSS and everything went very smoothly. Have been running it for about 48 hours with no problems at all. Thank you to everyone at Zimbra for making such a great piece of software.

Now for my problem. I set zmtlsctl redirect, and everything worked as expected. All connections get redirected to https as they should. Some of my users are not very computer savvy (and geographically separated), and they are having trouble accepting the SSL certificate in IE.

I would like to revert back to standard HTTP, but it doesn't seem to be working.

zmtlsctl redirect:
Redirects to https as expected

zmtlsctl http:
Attempting to connect to the standard http port, redirected to https and getting a unable to connect error

zmtlsctl both:
Login is redirected to https, and UI stays in https

zmtlsctl mixed:
Login is redirected to https, UI stays in https

(zmcontrol stop and start between all of the above)

I would like to just revert back to straight http for now. Anyone see what I'm missing?

Thanks

[mmorse]

Check the auth url: SMTP Auth Problems - Zimbra :: Wiki

CLI zmtlsctl to set Web Server Mode - Zimbra :: Wiki

[Jurykov]

When I have it set to redirect mode grepping auth shows the following:

zimbra@mail:~$ zmprov gs mail.xxxx.com | grep Auth
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: mail.xxxx.com
zimbraMtaAuthTarget: TRUE
zimbraMtaAuthURL: http://mail.xxxx.com/service/soap/
zimbraMtaTlsAuthOnly: TRUE
zimbra@mail:~$ zmprov gs mail.xxxx.com | grep Mode
zimbraBackupMode: Standard
zimbraMailMode: redirect

After setting to http only mode it shows the same thing

zimbra@mail:~$ zmprov gs mail.xxxx.com | grep Auth
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: mail.xxxx.com
zimbraMtaAuthTarget: TRUE
zimbraMtaAuthURL: http://mail.xxxx.com/service/soap/
zimbraMtaTlsAuthOnly: TRUE

Do these look correct?

Redirect mode works, http only does not. I'm perplexed that under redirect mode, with that URL set to regular http that it is working, shouldn't it be set to https in that mode?

Trying to set the zimbraMtaAuthUrl to http://mail.xxxx.com:80/service/soap/ (like the example on the page you linked) gives me an error. Setting it to mail.xxxx.com makes no change.

Thanks for pointing me to that page. I'm going to try to play with it a little tonight, now that most of my users have gone home.

Any other ideas you might have would be appreciated.

[jholder]

Did you restart jetty?
zmmailboxdctl restart

[boblin]

I found this strange behaviour. Maybe is the same problem:

Code:

zimbra@mail:~$ zmprov gs mail.domain.com zimbraMailMode
# name mail.domain.com
zimbraMailMode: mixed

zimbra@mail:~$ zmtlsctl both
Fri Jan 11 14:53:12 2008  Service archiving is not enabled.  Skipping archiving
Fri Jan 11 14:53:12 2008  Service imapproxy is not enabled.  Skipping imapproxy
Fri Jan 11 14:53:12 2008  Rewrote: /opt/zimbra/mailboxd/webapps/zimbra/WEB-INF/web.xml
Fri Jan 11 14:53:12 2008  Rewrote: /opt/zimbra/mailboxd/etc/jetty.properties
Fri Jan 11 14:53:12 2008  Rewrote: /opt/zimbra/conf/log4j.properties
Fri Jan 11 14:53:12 2008  Rewrote: /opt/zimbra/mailboxd/webapps/service/WEB-INF/web.xml
Fri Jan 11 14:53:12 2008  Rewrote: /opt/zimbra/mailboxd/etc/jetty.xml
Fri Jan 11 14:53:12 2008  Rewrote: /opt/zimbra/mailboxd/webapps/zimbraAdmin/WEB-INF/web.xml
zimbra@mail:~$ zmprov gs mail.domain.com zimbraMailMode
# name mail.domain.com
zimbraMailMode: both

zimbra@mail:~$ zmcontrol stop;zmcontrol start
Host mail.domain.com
        Stopping stats...Done
        Stopping mta...Done
        Stopping spell...Done
        Stopping snmp...Done
        Stopping archiving...Done
        Stopping antivirus...Done
        Stopping antispam...Done
        Stopping imapproxy...Done
        Stopping mailbox...Done
        Stopping logger...Done
        Stopping ldap...Done
Host mail.domain.com
        Starting ldap...Done.
        Starting logger...Done.
        Starting mailbox...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.
zimbra@mail:~$ zmprov gs mail.domain.com zimbraMailMode
# name mail.domain.com
zimbraMailMode: mixed

[Rich Graves]

zmtlsctl redirect doesn't redirect all URLs. For example, if you've already logged in, http://server.com/home/~/Calendar.html can be browsed as HTTP. This also means that cookies aren't tagged as restricted to https.

[Jurykov]

I've been away from an internet connection for a little over a week, and thought I'd give this a little bump. I still can't get my connection back to http only. When I set:

zmtlsctl http

My connection is still redirected to https and fails to load any page at all (in both IE7 and Firefox).

Is there any other information I can post to give someone some idea of what is going on? I've tried every setting, used zmcontrol stop/start or restarted jetty and even resorted to a soft boot inbetween changes, but nothing seems to make a difference.

Thanks to those who have chimed in so far, but nothing I've tried has made a change yet.

[trogers]

I just wanted to mention that I am having precisely the same problem. I am using the Network version trial.

I also configured for https 'redirect' mode immediately after my initial installation, but wanted to reconfigure to 'http' or 'mixed' mode to better support older web clients. Neither worked.

My guess is that there is some Jetty configuration which is not being reset correctly. But that is only a guess.

Has anyone found a solution to this bug?

[trogers]

According to Zimbra support, this is a known issue:

Bug 24884 - zmtlsctl doesn't update zimbra.web.xml.in or zimbraAdmin.web.xml.in

and they offer the following workaround:

su - zimbra

cp /opt/zimbra/jetty/etc/zimbra.web.xml.in /tmp/zimbra.web.xml.in

edit /opt/zimbra/jetty/etc/zimbra.web.xml.in, and remove the "REDIRECT" section, it's close to the bottom of the file.

zmtlsctl http

zmcontrol stop

zmcontrol start

At this point, http mode should be working. If you wish to use the "both" mode, you can run:

zmtlsctl both

zmcontrol stop

zmcontrol start

Hope this helps!

[Jurykov]

Thank you very much. I had pretty much given up on this as we had gotten used to it. This fix worked perfectly. Hope this helps someone else as well.

Thanks again,

Jurykov